Hacker News new | past | comments | ask | show | jobs | submit login
Wg-access-server: An all-in-one WireGuard VPN solution with a web UI (github.com/place1)
137 points by mmmmkay 59 days ago | hide | past | favorite | 43 comments

I think it's worth knowing how simple and easy it is to set up wireguard when you don't need a web UI or any of that other fluff on there. Every computer running linux on a recent enough kernel can do it on a completely clean base install -- I figure a lot of the appeal for me is that I'm not introducing any risks on my system by installing extraneous packages. Means less maintenance whenever those have to be updated for security problems, meaning we get to bird two stones with one kill. Can be set up with nothing more than the shell and vi. It's right in entrypoint.sh[1] and some dockerfiles - set up firewall; set up wireguard devices, keys and configs; set up dnsmasq. Three simple steps on linux or openbsd (Not sure if FreeBSD ever got past that integration issue yet)

[1] https://github.com/subspacecommunity/subspace/blob/master/en...

I think it's also worth mentioning this works even better than openvpn as a client on windows and my phones!

Setting up the FW and routing is not trivial for anyone who hasn't had to deal with that aspect of Linux before. 99% of people are going to want a straightforward tunnel that simply forwards everything to the default route table of the server. Which is of course what the linked script does. But even experienced devs are doing to have no idea what the heck a prerouting chain or a masquerade rule does.

I've done that journey.

At least for me, a major issue turned out to the abstractions (like wg-quick, ufw, network-manager, openwrt) which on one hand obscure the inner workings but at the same time are limited enough that at some point you will be forced to dig deeper. They also don't always play nicely together wrt routes, routing polices and *tables rules.

I wasted so much time (probably weeks, added together) in my younger days banging my head against the wall with Linux networking. Throwing out other high-level tools/frameworks and starting "from scratch" on CentOS/Rocky/Debian with only systemd-networkd and nftables has now made me mostly comfortable and I finally feel in control of the networking stack on my Linux boxes. I say "mostly" because, well, Docker and CNI...

Oh, and see my sibling comment.

Just use OpenBSD, so much of that crap just gets out of the way because it was never glued on without anyone asking. For routing stuff like VPNs and routers especially this becomes my first choice, unless we're really needing to hit gigabit speeds... Try fresh air for once!

Two things I learned that were game-changers in setting up and managing Wireguard on Linux:

* The semantics and behavior of AllowedIPs. In itself, it means what IPs are allowed to be routed through the tunnel (that is, IPs "on the other end"). wg-quick will, additionally, add routes to these, but that's not part of Wireguard itself.

* systemd-networkd has native support for Wireguard netdevs and networks. It's pretty easy to set up and makes it a lot more flexible; it won't add routes to AllowedIPs like wg-quick but you can define the routes (and routing policies and tables) you want in the same file. [0]

As much flak as systemd gets, systemd-networkd has by far been the most sane way for me to manage networking on Linux, and I tried most.

I'd also like to take the opportunity to recommend nftables instead of iptables. Unless you already have good reasons to prefer iptables, nftables is so much easier to learn and manage.

Oh, and ufw gets ugly real fast. Managing it through ansible or similar is a real mess. firewalld is a lot more predictable IMO. Its routing story is not perfect but it's the best I found so far and can be complemented with ip and manual nftables rules[2].

[0]: https://manpages.debian.org/buster/systemd/systemd.netdev.5....

[1]: https://wiki.archlinux.org/title/WireGuard#systemd-networkd

[2]: https://serverfault.com/a/1046246

I'm a linux user and I want plenty more than just a VPN connection. I want the icon that tells me the VPN is connected. I want the GUI that lets me manage which server I am connecting to and which servers are the most loaded at a particular moment. I want to control from which country my traffic appears on the public internet. I want the little graph showing me that my traffic is indeed flowing over the VPN service. I want a kill switch daemon ready to cut off my traffic should the VPN connection fail. And I want all of that without having to edit any scripts.

Then you should've known that KDE already have wireguard applet implemented in their network manager already in version 5.21 while Gnome is on a track and just waiting to be merged.

Does KDE network manager still delete the VPN entry at the end of the setting up process if there is an error in the config ?

Anyway, I was just looking how to add a WG VPN entry in kubuntu 18.04 but its version of KDE is a bit behind so CLI it is.

I'd settle for an independent KDE widget though.

FFS, they still do and what's worse is that bringing up the VPN manually on the command line trigger a notification and a temporary vpn entry in the network panel. But it disappears when bringing down the VPN.

Freebsd got past the issues by rewriting it, although it is not yet in a stable release will probably wait until 13.1

Subspace is a similar project which is also quite easy to set up.


That is nice to see, I was looking at subspace last week and the last commit to https://github.com/subspacecloud/subspace had led me to believe it had withered and died, I was guessing due to the primary backing company having died?

So it is quite nice to see that it is living on as a fork.

There seems to be a relative explosion in end-user deployable overlay networks in the last few years. I wonder how many, especially non-tech companies, have end users routing the outside world in without company permission.

I know it's not rocket science to watch for each one, or be more sophisticated with deep packet inspection. But, I've worked at some old stodgy companies, and I'm reasonably sure they aren't really watching for it in a lot of places.

This has been a threat for 20+ years, certainly everyone I worked with had outgoing ssh tunnels through the socks proxy, with reverse port forwarding, back then.

If your network is reliant on a high firewall and nothing inside, you've already lost.

Yes, I'm not saying it is a new threat. Just a broader threat now that there's a lot of ready made solutions that can run in user space. And in some cases, like this one, have very newbie friendly UIs.

Depends on the company. Stuff like Crowdstrike and the more advanced Defender service spot this sort of thing.

SSH is probably the best one, especially as you can usually get policy exceptions to access cloud resources.

I would kill for this but integrated into home assistant. There is a wireguard add on but it's really limited and requires going in by ssh to get people's qr codes.

The web GUI looks a little like Home Assistant, or ESPHome.

Anyone know of good tools for using WireGuard in large server fleets? I'm currently trying to pitch an alternative to OpenVPN at work, paid solutions being pretty much out of the question. ZeroTier (w/ open license network controller) might work but it doesn't look like mutual authentication is supported. Ideally we'd like to use X509 auth which OpenVPN is already capable of...

This is a big part of the problem Tailscale solves. If I was managing a large fleet and already had an auth infrastructure, I'd almost certainly just use it. (Tailscale is WireGuard, plus NAT traversal, plus user management, plus OIDC, plus UI. It's pretty magical.)

I would imagine it's too costly. We have thousands and thousands of machines and we're really not willing to pay anything to solve this, as nice as Tailscale would be.

Frustratingly there's no real "Enterprise" plan on their site, it's another one of those "get in touch" plans that I don't have the energy or time for. Guys at Tailscale, please just list an actual damn enterprise option so I can get an idea of how much it's going to cost if I push for this at work.

Tailscale charges by user, not by machine. As does nearly every piece SaaS software today.

A quick google search for mutal authentication and wiregurd comes up with the whitepaper[1]:

“It uses a single round trip key exchange, based on NoiseIK, and handles all session creation transparently to the user using a novel timer state machine mechanism. Short pre-shared static keys—Curve25519 points—are used for mutual authentication in the style of OpenSSH. The protocol provides strong perfect forward secrecy in addition to a high degree of identity hiding. Transport speed is accomplished using ChaCha20Poly1305 authenticated-encryption for encapsulation of packets in UDP. An improved take on IP-binding cookies is used for mitigating denial of service attacks, improving greatly on IKEv2 and DTLS’s cookie mechanisms to add encryption and authentication”[13]

Furthermore the email it's introduced with[2]:

`Second, WireGuard uses something based on the Noise Protocol Framework (in Noise_IK) for key agreement and handshake, rather than, say, relegating to a userspace daemon. The reason, again, is massive simplicity and security savings. The Noise_IK handshake is extremely simple, and tight integration between the handshake and the transport layer allows WireGuard itself to handle all session-state and connection-state and so-forth, making the whole process appear "stateless" to the administrator (you set it up with `wg`, and then it _just works_). There is no x509, no ASN.1, no huge complexity; the user configures the public keys, and then the rest is taken care of. Other configuration frameworks (based on x509 or SSL or LDAP or whatever you want) can then build on top of this in userspace, if that sort of thing is desired. But the basic handshake fundamentals are left to WireGuard. This is more or less similar to SSH, which cares about the authorized_keys file.`

It looks like some solutions for key management have sprouted up, check trustgrid[3] and locksmith [4]

[1] https://www.wireguard.com/papers/wireguard.pdf [2] https://lwn.net/Articles/693015/ [3] https://trustgrid.io/wireguard-for-the-enterprise/ [4] https://github.com/the-maldridge/locksmith

Have you looked into https://github.com/slackhq/nebula? It uses X509 cert for auth.

Although for my home lab, using X509 is more of a minus than a plus due to complexity involved.

Nebula uses public key certificates, but they are not x509. The nebula certificate format uses protobuf for its encoding.

Has anyone used this for internal company VPN for accessing resources on something like AWS VPC?

Not this specifically, but I use Tailscale for this use-case (as far as I can tell they're similar solutions) and it's fantastic

I second this. Tailscale is great. However, if you're someone that prefers a selfhosted option (and open source) - there is HeadScale. It lets you run your own coordination server locally.


Unfortunately I can't justify a paid option right now, and I need to be able to support at least 5 to 10 users. Otherwise I would jump on it, it's very good.

Tailscale is incredible in its ease of use. So much so that I got scared and turned it off.

I need to read more then be brave.

Kinda, we've been using wg on multiple servers (~10 atm) across two different networks to aggregate monitoring data from each.

Works like a charm so far, we provision them all via Ansible and use iptables to only allow access to metric endpoints via the wg0 interface.

So far, we haven't had a single issue in 6 months.

Does anyone have recommended newbie guides for setting up wireguard when all you have experience with is older L2TP Server/Client setups?

In addition to what was already posted: https://www.linuxbabe.com/debian/wireguard-vpn-server-debian

I find this one quite easy to follow, you can skip the dns part if you just want to check out if it works.


set up firewall; set up wireguard devices, keys and configs; set up dnsmasq.

I'd look up one specific to your particular distro, though. There are differences in how network devices are managed.

How permission works (especially from Docker?)? I remember `wg-quick up` requires `sudo` to bring up the WG network interface.

says in the readme basically:

  --cap-add NET_ADMIN \
  --device /dev/net/tun:/dev/net/tun \
that's giving it permission to administer the tunnel devices.

> --cap-add NET_ADMIN

> --device /dev/net/tun:/dev/net/tun

Nice, I had forgotten about wireguard GUI but now that I have upgraded some VPS to Debian 11 I can use it without hassle.

Is there a way to add MFA to this or should it be done if there is OIDC?

Don't click if you hate yet another npm *

If it's a single binary why do I need docker?

For me, rolling everything into a docker-compose.yaml makes installs near instant.

Why is this guy downvoted without a single reply?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact